Login  |  Register  |  Contact

New Poll (And Article) At Dark Reading

Thanks to the unorthodox release of the DNS bug, there’s been a lot of debate in the past few weeks over disclosure. I posed a question here on the blog, and reading through the responses it became obvious that all of us base our positions on gut instinct, not empirical evidence. Andrew Jaquith, in the comments, suggested we take a more scientific approach to the problem, and this inspired my latest Dark Reading article, and a poll. Here’s an excerpt:

Sure, we all have plenty of anecdotal evidence to support our personal positions. We can all cite cases of this or that vendor tirelessly defending its customers, or putting them at mortal risk based on their handling of some vulnerability. We all know someone that suffered real losses at the hands of the latest random Metasploit exploit module, and someone else who used it to close critical holes in their security defenses before the bad guys made it in. We all talk about Blaster, Code Red, and other past incidents like they have any relevance in today’s world, which we all also admit has changed completely from a few years ago. There’s a word for picking and choosing examples to support a pre-existing belief without any scientific basis. It’s called religion. I propose that it’s long past time we brought some current science into the game. It’s time to move past anecdotal evidence or one-off cases into wider-ranging realm of epidemiological studies. It’s time to ask the users what they want, while developing risk metrics to allow them to make informed decisions despite their personal opinions. We may not reach definitive conclusions, and even if we do, they probably won’t last nor change the minds of the truly religious. But it’s always better to seek more data than to dismiss it before we even see it.

As a small first step, we attached a poll to the article to measure how different demographic groups, users, researchers/testers, and vendors, feel about disclosure. It’s not truly scientific, both due to the wording of the question and the self-bias of the readers, but I’ll always error more on the side of more data over less.

So take the poll, and we’ll get the results up in a couple of weeks. Until then, see ya at Black Hat and DefCon!

—Rich

Posted at Monday 4th August 2008 12:55 am Filed under: dark readingmiscnon-geekresearchvirtualizationvulnerabilities

Previous entry: Securosis Hits Black Hat and DefCon | | Next entry: Must Be DefCon Time

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Andre Gironda  on  08/03  at  08:34 PM

I don’‘t see how that survey is going to help.  It’s two questions with basically true/false answers.

By Wesley McGrew  on  08/03  at  08:59 PM

At least in the case of the flaw in DNS, just knowing the details of the vulnerability makes it easy to create a weaponized exploit.

It’s not some Mark Dowd-esque mindbender of a integer overflow.  It’s a simple loop of "make requests and keep throwing this answer until it sticks".

By rmogull  on  08/03  at  09:08 PM

@dre- it’s not a survey, it’s a poll. That’s why I put all the qualifiers around it. I’‘m not pretending it’s more than it is. But no one else has asked that question yet and had people identify their demographic, so I think the results will be interesting.

By rmogull  on  08/03  at  09:10 PM

@wesley

That’s true, but I argue that the number of people that can turn that information into a workable exploit based on the vulenrability information is a tiny fraction of the people who can run a simple tool that’s already built. It’s a question of numbers, not possibility.

By ds  on  08/06  at  02:24 AM

To me, the whole debate around disclosure has a hint of arrogance to it.  It is based on the assumption that the (perhaps psuedo)responsible researcher has discovered something that no one else could be aware of. 

I’‘d suggest that the black hats are just as good, if not better, than security researchers.  As crime becomes a motive, they will surely be as well funded as, say, a researcher working for Core and much better funded than independants. 

I’‘d like to see some primary research to discover if the source of attacks after disclosure is really based on people using newly published knowlege, or people with previous knowlege making the most of their toy until it is patched.

I’‘ve often suspected this was the case with the Witty worm.  Looking at the spread pattern, it hit .mil sites really hard, and was destructive.  Might have been someone covering their tracks after leveraging the underlying flaws for who knows how long. 

And there goes the hard part.  We suck at detecting abstract attacks.  We’‘re good at seeing what we know.  So, we only tend to see these attacks after they are disclosed, and then we see them in bunches and this confuses our thought.

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: